1*387f9dfdSAndroid Build Coastguard WorkerDemonstrations of tcplife, the Linux BPF/bcc version. 2*387f9dfdSAndroid Build Coastguard Worker 3*387f9dfdSAndroid Build Coastguard Worker 4*387f9dfdSAndroid Build Coastguard Workertcplife summarizes TCP sessions that open and close while tracing. For example: 5*387f9dfdSAndroid Build Coastguard Worker 6*387f9dfdSAndroid Build Coastguard Worker# ./tcplife 7*387f9dfdSAndroid Build Coastguard WorkerPID COMM LADDR LPORT RADDR RPORT TX_KB RX_KB MS 8*387f9dfdSAndroid Build Coastguard Worker22597 recordProg 127.0.0.1 46644 127.0.0.1 28527 0 0 0.23 9*387f9dfdSAndroid Build Coastguard Worker3277 redis-serv 127.0.0.1 28527 127.0.0.1 46644 0 0 0.28 10*387f9dfdSAndroid Build Coastguard Worker22598 curl 100.66.3.172 61620 52.205.89.26 80 0 1 91.79 11*387f9dfdSAndroid Build Coastguard Worker22604 curl 100.66.3.172 44400 52.204.43.121 80 0 1 121.38 12*387f9dfdSAndroid Build Coastguard Worker22624 recordProg 127.0.0.1 46648 127.0.0.1 28527 0 0 0.22 13*387f9dfdSAndroid Build Coastguard Worker3277 redis-serv 127.0.0.1 28527 127.0.0.1 46648 0 0 0.27 14*387f9dfdSAndroid Build Coastguard Worker22647 recordProg 127.0.0.1 46650 127.0.0.1 28527 0 0 0.21 15*387f9dfdSAndroid Build Coastguard Worker3277 redis-serv 127.0.0.1 28527 127.0.0.1 46650 0 0 0.26 16*387f9dfdSAndroid Build Coastguard Worker[...] 17*387f9dfdSAndroid Build Coastguard Worker 18*387f9dfdSAndroid Build Coastguard WorkerThis caught a program, "recordProg" making a few short-lived TCP connections 19*387f9dfdSAndroid Build Coastguard Workerto "redis-serv", lasting about 0.25 milliseconds each connection. A couple of 20*387f9dfdSAndroid Build Coastguard Worker"curl" sessions were also traced, connecting to port 80, and lasting 91 and 121 21*387f9dfdSAndroid Build Coastguard Workermilliseconds. 22*387f9dfdSAndroid Build Coastguard Worker 23*387f9dfdSAndroid Build Coastguard WorkerThis tool is useful for workload characterisation and flow accounting: 24*387f9dfdSAndroid Build Coastguard Workeridentifying what connections are happening, with the bytes transferred. 25*387f9dfdSAndroid Build Coastguard Worker 26*387f9dfdSAndroid Build Coastguard Worker 27*387f9dfdSAndroid Build Coastguard WorkerProcess names are truncated to 10 characters. By using the wide option, -w, 28*387f9dfdSAndroid Build Coastguard Workerthe column width becomes 16 characters. The IP address columns are also wider 29*387f9dfdSAndroid Build Coastguard Workerto fit IPv6 addresses: 30*387f9dfdSAndroid Build Coastguard Worker 31*387f9dfdSAndroid Build Coastguard Worker# ./tcplife -w 32*387f9dfdSAndroid Build Coastguard WorkerPID COMM IP LADDR LPORT RADDR RPORT TX_KB RX_KB MS 33*387f9dfdSAndroid Build Coastguard Worker26315 recordProgramSt 4 127.0.0.1 44188 127.0.0.1 28527 0 0 0.21 34*387f9dfdSAndroid Build Coastguard Worker3277 redis-server 4 127.0.0.1 28527 127.0.0.1 44188 0 0 0.26 35*387f9dfdSAndroid Build Coastguard Worker26320 ssh 6 fe80::8a3:9dff:fed5:6b19 22440 fe80::8a3:9dff:fed5:6b19 22 1 1 457.52 36*387f9dfdSAndroid Build Coastguard Worker26321 sshd 6 fe80::8a3:9dff:fed5:6b19 22 fe80::8a3:9dff:fed5:6b19 22440 1 1 458.69 37*387f9dfdSAndroid Build Coastguard Worker26341 recordProgramSt 4 127.0.0.1 44192 127.0.0.1 28527 0 0 0.27 38*387f9dfdSAndroid Build Coastguard Worker3277 redis-server 4 127.0.0.1 28527 127.0.0.1 44192 0 0 0.32 39*387f9dfdSAndroid Build Coastguard Worker 40*387f9dfdSAndroid Build Coastguard Worker 41*387f9dfdSAndroid Build Coastguard WorkerIn this example, I uploaded a 10 Mbyte file to the server, and then downloaded 42*387f9dfdSAndroid Build Coastguard Workerit again, using scp: 43*387f9dfdSAndroid Build Coastguard Worker 44*387f9dfdSAndroid Build Coastguard Worker# ./tcplife 45*387f9dfdSAndroid Build Coastguard WorkerPID COMM LADDR LPORT RADDR RPORT TX_KB RX_KB MS 46*387f9dfdSAndroid Build Coastguard Worker7715 recordProg 127.0.0.1 50894 127.0.0.1 28527 0 0 0.25 47*387f9dfdSAndroid Build Coastguard Worker3277 redis-serv 127.0.0.1 28527 127.0.0.1 50894 0 0 0.30 48*387f9dfdSAndroid Build Coastguard Worker7619 sshd 100.66.3.172 22 100.127.64.230 63033 5 10255 3066.79 49*387f9dfdSAndroid Build Coastguard Worker7770 recordProg 127.0.0.1 50896 127.0.0.1 28527 0 0 0.20 50*387f9dfdSAndroid Build Coastguard Worker3277 redis-serv 127.0.0.1 28527 127.0.0.1 50896 0 0 0.24 51*387f9dfdSAndroid Build Coastguard Worker7793 recordProg 127.0.0.1 50898 127.0.0.1 28527 0 0 0.23 52*387f9dfdSAndroid Build Coastguard Worker3277 redis-serv 127.0.0.1 28527 127.0.0.1 50898 0 0 0.27 53*387f9dfdSAndroid Build Coastguard Worker7847 recordProg 127.0.0.1 50900 127.0.0.1 28527 0 0 0.24 54*387f9dfdSAndroid Build Coastguard Worker3277 redis-serv 127.0.0.1 28527 127.0.0.1 50900 0 0 0.29 55*387f9dfdSAndroid Build Coastguard Worker7870 recordProg 127.0.0.1 50902 127.0.0.1 28527 0 0 0.29 56*387f9dfdSAndroid Build Coastguard Worker3277 redis-serv 127.0.0.1 28527 127.0.0.1 50902 0 0 0.30 57*387f9dfdSAndroid Build Coastguard Worker7798 sshd 100.66.3.172 22 100.127.64.230 64925 10265 6 2176.15 58*387f9dfdSAndroid Build Coastguard Worker[...] 59*387f9dfdSAndroid Build Coastguard Worker 60*387f9dfdSAndroid Build Coastguard WorkerYou can see the 10 Mbytes received by sshd, and then later transmitted. Looks 61*387f9dfdSAndroid Build Coastguard Workerlike receive was slower (3.07 seconds) than transmit (2.18 seconds). 62*387f9dfdSAndroid Build Coastguard Worker 63*387f9dfdSAndroid Build Coastguard Worker 64*387f9dfdSAndroid Build Coastguard WorkerTimestamps can be added with -t: 65*387f9dfdSAndroid Build Coastguard Worker 66*387f9dfdSAndroid Build Coastguard Worker# ./tcplife -t 67*387f9dfdSAndroid Build Coastguard WorkerTIME(s) PID COMM LADDR LPORT RADDR RPORT TX_KB RX_KB MS 68*387f9dfdSAndroid Build Coastguard Worker0.000000 5973 recordProg 127.0.0.1 47986 127.0.0.1 28527 0 0 0.25 69*387f9dfdSAndroid Build Coastguard Worker0.000059 3277 redis-serv 127.0.0.1 28527 127.0.0.1 47986 0 0 0.29 70*387f9dfdSAndroid Build Coastguard Worker1.022454 5996 recordProg 127.0.0.1 47988 127.0.0.1 28527 0 0 0.23 71*387f9dfdSAndroid Build Coastguard Worker1.022513 3277 redis-serv 127.0.0.1 28527 127.0.0.1 47988 0 0 0.27 72*387f9dfdSAndroid Build Coastguard Worker2.044868 6019 recordProg 127.0.0.1 47990 127.0.0.1 28527 0 0 0.24 73*387f9dfdSAndroid Build Coastguard Worker2.044924 3277 redis-serv 127.0.0.1 28527 127.0.0.1 47990 0 0 0.28 74*387f9dfdSAndroid Build Coastguard Worker3.069136 6042 recordProg 127.0.0.1 47992 127.0.0.1 28527 0 0 0.22 75*387f9dfdSAndroid Build Coastguard Worker3.069204 3277 redis-serv 127.0.0.1 28527 127.0.0.1 47992 0 0 0.28 76*387f9dfdSAndroid Build Coastguard Worker 77*387f9dfdSAndroid Build Coastguard WorkerThis shows that the recordProg process was connecting once per second. 78*387f9dfdSAndroid Build Coastguard Worker 79*387f9dfdSAndroid Build Coastguard WorkerThere's also a -T for HH:MM:SS formatted times. 80*387f9dfdSAndroid Build Coastguard Worker 81*387f9dfdSAndroid Build Coastguard Worker 82*387f9dfdSAndroid Build Coastguard WorkerThere's a comma separated values mode, -s. Here it is with both -t and -T 83*387f9dfdSAndroid Build Coastguard Workertimestamps: 84*387f9dfdSAndroid Build Coastguard Worker 85*387f9dfdSAndroid Build Coastguard Worker# ./tcplife -stT 86*387f9dfdSAndroid Build Coastguard WorkerTIME,TIME(s),PID,COMM,IP,LADDR,LPORT,RADDR,RPORT,TX_KB,RX_KB,MS 87*387f9dfdSAndroid Build Coastguard Worker23:39:38,0.000000,7335,recordProgramSt,4,127.0.0.1,48098,127.0.0.1,28527,0,0,0.26 88*387f9dfdSAndroid Build Coastguard Worker23:39:38,0.000064,3277,redis-server,4,127.0.0.1,28527,127.0.0.1,48098,0,0,0.32 89*387f9dfdSAndroid Build Coastguard Worker23:39:39,1.025078,7358,recordProgramSt,4,127.0.0.1,48100,127.0.0.1,28527,0,0,0.25 90*387f9dfdSAndroid Build Coastguard Worker23:39:39,1.025141,3277,redis-server,4,127.0.0.1,28527,127.0.0.1,48100,0,0,0.30 91*387f9dfdSAndroid Build Coastguard Worker23:39:41,2.040949,7381,recordProgramSt,4,127.0.0.1,48102,127.0.0.1,28527,0,0,0.24 92*387f9dfdSAndroid Build Coastguard Worker23:39:41,2.041011,3277,redis-server,4,127.0.0.1,28527,127.0.0.1,48102,0,0,0.29 93*387f9dfdSAndroid Build Coastguard Worker23:39:42,3.067848,7404,recordProgramSt,4,127.0.0.1,48104,127.0.0.1,28527,0,0,0.30 94*387f9dfdSAndroid Build Coastguard Worker23:39:42,3.067914,3277,redis-server,4,127.0.0.1,28527,127.0.0.1,48104,0,0,0.35 95*387f9dfdSAndroid Build Coastguard Worker[...] 96*387f9dfdSAndroid Build Coastguard Worker 97*387f9dfdSAndroid Build Coastguard Worker 98*387f9dfdSAndroid Build Coastguard WorkerThere are options for filtering on local and remote ports. Here is filtering 99*387f9dfdSAndroid Build Coastguard Workeron local ports 22 and 80: 100*387f9dfdSAndroid Build Coastguard Worker 101*387f9dfdSAndroid Build Coastguard Worker# ./tcplife.py -L 22,80 102*387f9dfdSAndroid Build Coastguard WorkerPID COMM LADDR LPORT RADDR RPORT TX_KB RX_KB MS 103*387f9dfdSAndroid Build Coastguard Worker8301 sshd 100.66.3.172 22 100.127.64.230 58671 3 3 1448.52 104*387f9dfdSAndroid Build Coastguard Worker[...] 105*387f9dfdSAndroid Build Coastguard Worker 106*387f9dfdSAndroid Build Coastguard Worker 107*387f9dfdSAndroid Build Coastguard WorkerUSAGE: 108*387f9dfdSAndroid Build Coastguard Worker 109*387f9dfdSAndroid Build Coastguard Worker# ./tcplife.py -h 110*387f9dfdSAndroid Build Coastguard Workerusage: tcplife.py [-h] [-T] [-t] [-w] [-s] [-p PID] [-L LOCALPORT] 111*387f9dfdSAndroid Build Coastguard Worker [-D REMOTEPORT] [-4 | -6] 112*387f9dfdSAndroid Build Coastguard Worker 113*387f9dfdSAndroid Build Coastguard WorkerTrace the lifespan of TCP sessions and summarize 114*387f9dfdSAndroid Build Coastguard Worker 115*387f9dfdSAndroid Build Coastguard Workeroptional arguments: 116*387f9dfdSAndroid Build Coastguard Worker -h, --help show this help message and exit 117*387f9dfdSAndroid Build Coastguard Worker -T, --time include time column on output (HH:MM:SS) 118*387f9dfdSAndroid Build Coastguard Worker -t, --timestamp include timestamp on output (seconds) 119*387f9dfdSAndroid Build Coastguard Worker -w, --wide wide column output (fits IPv6 addresses) 120*387f9dfdSAndroid Build Coastguard Worker -s, --csv comma separated values output 121*387f9dfdSAndroid Build Coastguard Worker -p PID, --pid PID trace this PID only 122*387f9dfdSAndroid Build Coastguard Worker -L LOCALPORT, --localport LOCALPORT 123*387f9dfdSAndroid Build Coastguard Worker comma-separated list of local ports to trace. 124*387f9dfdSAndroid Build Coastguard Worker -D REMOTEPORT, --remoteport REMOTEPORT 125*387f9dfdSAndroid Build Coastguard Worker comma-separated list of remote ports to trace. 126*387f9dfdSAndroid Build Coastguard Worker -4, --ipv4 trace IPv4 family only 127*387f9dfdSAndroid Build Coastguard Worker -6, --ipv6 trace IPv6 family only 128*387f9dfdSAndroid Build Coastguard Worker 129*387f9dfdSAndroid Build Coastguard Workerexamples: 130*387f9dfdSAndroid Build Coastguard Worker ./tcplife # trace all TCP connect()s 131*387f9dfdSAndroid Build Coastguard Worker ./tcplife -t # include time column (HH:MM:SS) 132*387f9dfdSAndroid Build Coastguard Worker ./tcplife -w # wider columns (fit IPv6) 133*387f9dfdSAndroid Build Coastguard Worker ./tcplife -stT # csv output, with times & timestamps 134*387f9dfdSAndroid Build Coastguard Worker ./tcplife -p 181 # only trace PID 181 135*387f9dfdSAndroid Build Coastguard Worker ./tcplife -L 80 # only trace local port 80 136*387f9dfdSAndroid Build Coastguard Worker ./tcplife -L 80,81 # only trace local ports 80 and 81 137*387f9dfdSAndroid Build Coastguard Worker ./tcplife -D 80 # only trace remote port 80 138*387f9dfdSAndroid Build Coastguard Worker ./tcplife -4 # only trace IPv4 family 139*387f9dfdSAndroid Build Coastguard Worker ./tcplife -6 # only trace IPv6 family 140